The OX Research team has uncovered a new malware campaign abusing popular Chrome extensions to steal users’ AI chatbot conversations and browsing data. The campaign involves two malicious extensions that secretly exfiltrate ChatGPT and DeepSeek conversations, along with all open Chrome tab URLs, to remote command-and-control (C2) servers every 30 minutes.
The malicious add-ons masquerade as legitimate AI sidebar tools, impersonating an extension from AITOPIA that overlays a chat interface on any website and supports multiple large language models. To deceive users, the extensions request permission to collect “anonymous, non-identifiable analytics data,” while in reality harvesting full conversation content from ChatGPT and DeepSeek sessions.
The two compromised extensions are Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, which has more than 600,000 users and previously carried a Google Chrome “Featured” badge, and AI Sidebar with Deepseek, ChatGPT, Claude and more, with over 300,000 users.
According to OX Security, the malware extracts chat messages by scanning specific DOM elements on chatbot webpages, stores the data locally, and then transmits it to attacker-controlled servers such as “chatsaigpt[.]com” and “deepaichats[.]com.” The threat actors also abuse the AI-powered web development platform Lovable to host privacy policies and supporting infrastructure to anonymize their operations and hinder attribution.
In last December, security researchers found that Urban VPN Proxy, another popular browser extension, was spying on users’ AI chatbot interactions.
